lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Oct 2007 12:28:41 -0500
From: Shaun <shaun@...unc.com>
To: James Lay <jlay@...ve-tothe-box.net>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Spike in SSH scans

I saw an unusually high volume of scans between 2200 and 0000 last night
on my residential connection. They all made their initial probe using
'mysql' as the user. On average it looks like each of them made around
15 attempts, which is fairly low, and points to a scanner smart enough
to recognize that it's been firewalled out.

So far, nothing out of the ordinary at work or on dedicated servers.
Maybe it's only targeting consumer connections? FWIW, my residential IP
is in 75.65/16.

-s

On Sun, 21 Oct 2007 21:20:38 -0600
James Lay <jlay@...ve-tothe-box.net> wrote:

> Anyone else seeing these?  Started about 3 hours ago..hereĀ¹s a snipit:
> 
> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc
> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22
> 
> And a current list of hits in the last 3 hours:
> 
> 124.39.168.43
> 129.13.250.46
> 145.253.128.85
> 148.245.157.217
> 149.99.20.238
> 161.106.180.173
> 193.158.0.195
> 194.25.114.106
> 195.113.185.38
> 195.138.155.54
> 195.228.238.186
> 195.56.72.157
> 195.73.54.73
> 200.126.111.38
> 200.62.177.91
> 200.79.37.194
> 201.16.17.246
> 201.216.245.25
> 201.245.109.170
> 211.139.69.28
> 212.101.30.8
> 212.202.248.130
> 212.248.23.6
> 213.136.105.130
> 213.156.69.126
> 213.186.47.65
> 213.255.77.62
> 213.35.211.206
> 213.66.184.110
> 213.84.74.76
> 216.193.233.168
> 217.110.171.150
> 217.113.71.130
> 217.151.68.244
> 217.156.103.234
> 217.160.19.157
> 217.71.214.191
> 218.207.69.8
> 218.249.108.166
> 60.12.130.117
> 62.105.180.178
> 62.112.158.141
> 62.218.215.134
> 62.65.142.213
> 62.76.246.253
> 64.81.228.200
> 66.236.209.227
> 67.118.242.129
> 67.132.173.150
> 70.107.224.252
> 70.151.62.113
> 72.248.139.227
> 77.104.241.141
> 80.200.249.230
> 80.201.241.44
> 80.33.222.48
> 80.51.139.82
> 80.55.142.66
> 81.180.88.6
> 81.68.198.23
> 81.75.124.51
> 82.103.102.12
> 82.141.44.153
> 82.239.231.89
> 83.15.246.226
> 83.151.18.189
> 83.19.34.46
> 83.227.183.88
> 83.236.170.54
> 83.246.96.38
> 83.246.96.54
> 83.65.141.94
> 85.114.130.199
> 85.120.129.130
> 85.17.10.106
> 85.214.54.182
> 85.48.224.186
> 87.127.193.225
> 88.32.56.1
> 89.110.147.183
> 89.171.12.78
> 91.192.189.19
> 
> James


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ